在HTTP Basic Auth的URL中传递用户名和密码
[英]Pass username and password in URL for HTTP Basic Auth
问题描述
When passing username and password encoded in URL, eg: https://Aladdin:OpenSesame@www.example.com/index.html 
传递URL中编码的用户名和密码时,例如: https:// Aladdin:OpenSesame@www.example.com/index.html
Is the client in fact sending this in Authorization header? 客户端实际上是通过Authorization标头发送的吗? What kind of processing is needed on server side for this kind of URL encoding? 对于这种URL编码,服务器端需要什么样的处理?
1 个解决方案
解决方案1
7 已采纳 2017-05-07 08:27:04
Is the client in fact sending this in Authorization header? 客户端实际上是通过Authorization标头发送的吗?
It depends on what the client is. 这取决于客户是什么。 If the client is a browser, the answer is no. 如果客户端是浏览器,答案是否定的。 Here is the experiment result: 这是实验结果:
- In Chrome, no authorization header is sent. 在Chrome中,不会发送授权标头。
- In Firefox, no authorization header is sent. 在Firefox中,不会发送授权标头。 Firefox will also prompt a confirm dialog, as proactively sending authenticate information is weird. Firefox也会提示确认对话框,因为主动发送身份验证信息很奇怪。
- In Safari, no authorization header is sent. 在Safari中,不会发送授权标头。 Safari will also display a warning page first, as it suspect the URL is belong to a fishing site. Safari还将首先显示警告页面,因为它怀疑该URL属于钓鱼网站。
- In Opera, no authorization header is sent. 在Opera中,不会发送任何授权标头。
- I'm on Mac and can't run experiment on IE/Edge. 我在Mac上,无法在IE / Edge上运行实验。 But according to other browser's behaviour which is reasonable, I guess IE/Edge would act the same. 但根据其他浏览器的合理行为,我猜IE / Edge的行为是一样的。 Anyway, I'd appreciate if someone takes an experiment and get the result. 无论如何,如果有人参加实验并获得结果,我会很感激。
Generally speaking, browser will ignore authenticate information proactively sent in URL, for security reason. 一般来说,出于安全原因,浏览器将忽略在URL中主动发送的身份验证信息。
However, if the client is a development tool, the authenticate information may be encoded in base64 and sent as Authorization header. 但是,如果客户端是开发工具,则可以在base64中对身份验证信息进行编码,并将其作为授权标头发送。 Here is some experiment result: 这是一些实验结果:
- In curl, yes, the authorization header is sent. 在curl中,是的,发送授权标头。
- In Postman, no authorization header is sent. 在Postman中,不会发送授权标头。
Whether the authorization header is sent depends on the tool's design. 是否发送授权标头取决于工具的设计。
What kind of processing is needed on server side for this kind of URL encoding? 对于这种URL编码,服务器端需要什么样的处理?
In server side, all you need to do is get the base64 encoded string from Authorization header, decode it, and check whether it is valid. 在服务器端,您需要做的就是从Authorization标头获取base64编码的字符串,对其进行解码,并检查它是否有效。
Would it be any different if HTTP protocol is used in example URL? 如果在示例URL中使用HTTP协议会有什么不同吗?
For security, yes, Authorization header through HTTP is very insecure. 为了安全起见,是的,通过HTTP的授权标头是非常不安全的。 Base64 encoding/decoding will not make any security benefit, it can be decoded by everyone. Base64编码/解码不会带来任何安全性好处,它可以被所有人解码。
Otherwise, they are the same. 否则,他们是一样的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.